That's the comps file approach redhat-config-packages uses now,
essentially. Just need to have an idea of a comps file as a standalone
thing with a MIME handler perhaps.

Havoc

That's the comps file approach redhat-config-packages uses now,
essentially. Just need to have an idea of a comps file as a standalone
thing with a MIME handler perhaps.

Havoc

Statically linking isn't the answer proposed at all. Anyone trying to
do that will make the situation *much* worse.

I'm ASSuming Havoc meant bundling with as how many Windows apps do it -
they come (metaphorically speaking) as a bundle of RPMs, and the
dependencies are then installed as needed.

With our world of up2date/yum/apt we don't need to bundle the
dependencies. We just need to not keep breaking them so they stop
working unless you recompile half the machine. i.e., if mydep 1.1 isn't
API/ABI compatable with mydep 1.0, they must be coinstallable, and the
library versions updated.
LSB is just this, and many distros are LSB compliant these days.
Those that can't keep a stable ABI simply need to reflect this in some
meaningful way to both developers and users - soversions and
co-installable data, big warning labels, etc.
This sounds like it needs to be fixed; i.e., an easy way to disable
that. I know apps linked against older libcs work on RH9 (usually, the
occasional odd app fails, which is quite unfortunate).
Which is good. The LSB just needs to define more packages. But that's
just LSB. LSB is, again, most useful for commercial software. When
talking open-source apps, we have a lot more leeway. Namely, the
upstream devs can provide the "standard". Example, so long as the GTK
devs don't break their excellent track record of sane API/ABI
versioning, and so long as people package it properly (which, so far, is
the case on RH/Fedora), software can rely on GTK.

The same goes for any other dependency in which the upstream authors
apply proper release techniques.
LSB, I should note, also isn't for low-level system stuff. It's really
for monolithic apps. I don't even see the point in installing something
like, say, apache, as an LSB package - its not really the target
audience.
That would be interesting. The problem is, then, every single app that
possibly exists in the application/dependency archive would be in the
menues. Ick.

While I understand the use cases, as I've said on the autopackage lists,
and real Application Manager is needed (which I've some new ideas for,
i'll post those to the ap list).
Which isn't really possible. The best you could do is inform the user
that the system doesn't *appear* to be using the app anymore (no users
have a launcher for it, if you can even determine that easily) and let
them optionally uninstall it.

The same is true to libraries/dependencies - sure, normal users might
not need them if no other packages are using them, but hackers/admins
probably have a lot of stuff installed from source. So automatic
dependency "garbage" collection isn't really feasible, at least not
without lots and lots of user interaction and such.
It could be useful for on-disk management, corporate deployment, CDs,
etc. But probably not useful enough if the tools just become more
intelligent; i.e., if I click on a package in Nautilus and
redhat-install-packages sees I'm missing a dependency, it should try
looking in the folder the main package is in to find them. That would
make a lot of "off the 'net" RPM installations easier, for one. If the
package could point to URLs that have a list of packages for dependency
resolution, it would get even cooler (tho then GPG security and such
would probably be more important - I can just see the "Trust content
from Macromedia" dialogs and such one's accustomed to in Windows... but
then, blindly trusting an entire distro which is community based and in
which nearly anyone can eventually get access to upload packages, those
incessant dialogs are probably a better approach...)
yay standards! ;-)
Fortunately, the file name of an RPM is completely arbitrary. In large
collections with comps file (or whatever), "specific" naming is
possible; but if I want to put an RPM of some single piece of software
on my site, I'm quite free to call it anything.
Hmm, a bit farther than I had in mind, but it would certainly work; one
can imagine the "RPM Installer" Mozilla plugin. ;-)

If we even get to the point tho where the user can click the website
icon, and the Browser pops up a "Install Application?" dialog that
downloads and installs without the glitz, we'd be a long way ahead of
where we are now (click icon, get RPM, watch it not work, realize some
goof made the libinsane1 on OS release 2 completely incompatible with
libinsane1 on OS release 1, spend time figuring out whether the lib or
the app is easier to rebuild, find out the rebuild needs tons of build
dependencies which the tools don't bother to grab for you, etc. etc.).
That would certainly be nifty. Really, all that would require a small
.desktop-like file describing the package, and the mirror-net its on.
The install app just finds a mirror, looks up the real package (and
dependencies, possibly querying not only the app's mirror but also the
distro's repository), etc. Heck, I think there are a couple (not nearly
done) apps that do just this, minus the high-level of desktop
integration.
Agreed. Most of the responsibility has to lay with the upstream
developers. If the authors of libfoobar are goofs and refuse to put the
3 seconds of effort forth to make their software at least co-installable
with other versions, than any upstream dev who relies on libfoobar is
just as guilty of bad practices.

A good guide on packaging might help resolve a number of such
situation. One of the biggest problems with RPMs isn't even that the
software is actually incompatible, just that the packaging *makes* it
incompatible; packages putting things in different locations, packages
that conflict with each other in order to provide different optional
featuresets (why in all the world should a user have to unisntall an app
to add features? sounds dumb, but yet we have to do it many times,
because make packages like someapp-nofeatures, someapp-feature1,
someapp-feature2, someapp-allfeatures, etc. not necessary!)

Evangelism on the importance of proper development practices could be
useful, too. Probably the only place I've seen describing library
versioning in detail is the innards of the libtool manual. No wonder
lots of devs don't do it right, eh? Something like the war on drugs is
needed: DARP, Developers Against Ramshackle Packages. ;-)

Yeah and when you've done this you've also got virus, trojans, worms and
general system instability.

You can not trust just any random web page/gpg key/packager/whatever.
Distributions provide quality packaging, software review, system
consistency, etc (that's one of the reasons all the distributed software
projects that were proposed won't ever fly IMHO - there is no way so
many different actors with different priorities, backgrounds, deadlines,
etc can agree on a common set of rules strong enough to maintain the
overall quality a current distribution provides)

Now in the past one could say distros do not cover a large enough
spectrum. With projects like Fedora this is no longer true - you want
your app in Fedora just submit a quality package and it'll get in. Then
people will install it because they *trust* the Fedora signature/label.

Making a quality package is *hard*. Computer systems are *complex*. And
working outside of a big distribution-like project only makes packaging
*harder*.

Most of people who complain just want to offload crap packages on the
user like in the windows world. As someone who is regularly called to
clean up the damage these habits cause I respectfully disagree. It says
a lot that an experimental system like Rawhide often behaves better than
your average windows setup.

If you want to enlarge the packaged perimeter just mount a packager
group on which upstream projects can offload packaging problems.

If you think distributions are the problem (like autopackage people
obviously do) just get all people that think like you together and have
them agree on a common distribution method. I predict that the best
outcome will be yet another distribution (and the probable one utter
failure - people who don't want to package stuff cleanly now won't do it
tomorrow in another organisation)

There is one point I agree with you - it'd be cool if upstream projects
could more easily provide install profiles so people can use their stuff
after reading the web site. And this can be done pretty easily by a
comps.xml adaptation that would be fed to the local apt/yum/urpm that
would then pull relevant package_s_ from the *distribution* repository.

(and yes the package/profile separation is needed. I want to be able to
provide a artist profile and a tester profile, for example, and they
will both include the gimp package, because testers need to provide
annotated screenshots too)

And while there is room for gfx effects the core engine must be CLI/GUI
independent. I can assure you after the second installation you quickly
tire of the bloody widgets and yearn after something you can just run in
a ssh window/crontab/script. People will probably want to collect all
the profiles they commonly use on a floppy and feed all of them in a
single operation to the package manager of their new computer.

(think "modular kickstart")
There is no easy way.
You want to do distro-neutral packages ? Fine.
Just be damn good.
The day someone in one of your target distros release a better package
than yours poof you've instantly lost part of your target audience.

Remember : distro-specific packagers have this advantage they can use
all kind of fun "extensions" when you can't.

Realistically that means :
1. do not try to repackage stuff that's already in the distributions
2. follow strictly FHS and the parts of LSB that make sense - be
stricter than the others packagers you'll compete with
3. package a large enough pool of interdependent software people won't
be able to take "just one bit" and make it distro-specific easily
4. have a team with people that regularly use all target distros
5. use file names not package names as dependencies - distros will
rename/split/merge packages but the FHS will force them to use the same
file locations
6. use an apt+yum+urpmi repository to reach as much people as possible
7. whenever disto X has cool extension Y you want to use gently push Y
for inclusion in the other target distributions

Cheers,
--
Nicolas Mailhot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20031012/22b4b15d/attachment.bin

Oh, I agree. Nonetheless it's a solution to "dependency hell."

My argument: there's a tradeoff. One shouldn't whine about dependencies
unless you can live with duplication. Because you win one or the other
and you may as well suck it up and live with this reality.
Right, this is what I mean by the placeholder term "LSB." LSB in
practice is lagging the actual platform people want to use by quite a
bit and seems to have some implementation issues as you mentioned. But
LSB is only one possible token of the type "define a core guaranteed
dependency set that will always exist, and apps must internalize
anything not in that core set" - which is the general approach for
avoiding "dependency hell" used by Windows/Mac.

To clarify dependency hell; if by that one simply means having to find
dependencies and install them, then you either internalize
non-core-platform deps, or you have external dependencies. That tradeoff
will never go away. Best you can do is have tools such as
yum/up2date/apt to simplify things.

If by dependency hell one means having to choose between set of apps
requiring library Foo version 1 and set of apps requiring library Foo
version 2, the solution to that is also known:
http://ometer.com/parallel.html and/or "compat" packages and soname
changes.

Unfortunately the upstream maintainers of many libraries are
uncooperative when it comes to solving this problem.

Some people seem to think there's a magic bullet here or that solutions
aren't known. I would say the solutions and tradeoffs _are_ known, and
people are just unwilling to accept them.

I don't believe the packaging format (RPM vs. whatever) has a *thing* to
do with it. RPM allows you to express dependencies to automated tools.
However, it doesn't _create_ the dependencies; you are free to have them
or not as you see fit. So blaming dependency hell on RPM is just
shooting the messenger.

Havoc

Statically linking isn't the answer proposed at all. Anyone trying to
do that will make the situation *much* worse.

I'm ASSuming Havoc meant bundling with as how many Windows apps do it -
they come (metaphorically speaking) as a bundle of RPMs, and the
dependencies are then installed as needed.

With our world of up2date/yum/apt we don't need to bundle the
dependencies. We just need to not keep breaking them so they stop
working unless you recompile half the machine. i.e., if mydep 1.1 isn't
API/ABI compatable with mydep 1.0, they must be coinstallable, and the
library versions updated.
LSB is just this, and many distros are LSB compliant these days.
Those that can't keep a stable ABI simply need to reflect this in some
meaningful way to both developers and users - soversions and
co-installable data, big warning labels, etc.
This sounds like it needs to be fixed; i.e., an easy way to disable
that. I know apps linked against older libcs work on RH9 (usually, the
occasional odd app fails, which is quite unfortunate).
Which is good. The LSB just needs to define more packages. But that's
just LSB. LSB is, again, most useful for commercial software. When
talking open-source apps, we have a lot more leeway. Namely, the
upstream devs can provide the "standard". Example, so long as the GTK
devs don't break their excellent track record of sane API/ABI
versioning, and so long as people package it properly (which, so far, is
the case on RH/Fedora), software can rely on GTK.

The same goes for any other dependency in which the upstream authors
apply proper release techniques.
LSB, I should note, also isn't for low-level system stuff. It's really
for monolithic apps. I don't even see the point in installing something
like, say, apache, as an LSB package - its not really the target
audience.
That would be interesting. The problem is, then, every single app that
possibly exists in the application/dependency archive would be in the
menues. Ick.

While I understand the use cases, as I've said on the autopackage lists,
and real Application Manager is needed (which I've some new ideas for,
i'll post those to the ap list).
Which isn't really possible. The best you could do is inform the user
that the system doesn't *appear* to be using the app anymore (no users
have a launcher for it, if you can even determine that easily) and let
them optionally uninstall it.

The same is true to libraries/dependencies - sure, normal users might
not need them if no other packages are using them, but hackers/admins
probably have a lot of stuff installed from source. So automatic
dependency "garbage" collection isn't really feasible, at least not
without lots and lots of user interaction and such.
It could be useful for on-disk management, corporate deployment, CDs,
etc. But probably not useful enough if the tools just become more
intelligent; i.e., if I click on a package in Nautilus and
redhat-install-packages sees I'm missing a dependency, it should try
looking in the folder the main package is in to find them. That would
make a lot of "off the 'net" RPM installations easier, for one. If the
package could point to URLs that have a list of packages for dependency
resolution, it would get even cooler (tho then GPG security and such
would probably be more important - I can just see the "Trust content
from Macromedia" dialogs and such one's accustomed to in Windows... but
then, blindly trusting an entire distro which is community based and in
which nearly anyone can eventually get access to upload packages, those
incessant dialogs are probably a better approach...)
yay standards! ;-)
Fortunately, the file name of an RPM is completely arbitrary. In large
collections with comps file (or whatever), "specific" naming is
possible; but if I want to put an RPM of some single piece of software
on my site, I'm quite free to call it anything.
Hmm, a bit farther than I had in mind, but it would certainly work; one
can imagine the "RPM Installer" Mozilla plugin. ;-)

If we even get to the point tho where the user can click the website
icon, and the Browser pops up a "Install Application?" dialog that
downloads and installs without the glitz, we'd be a long way ahead of
where we are now (click icon, get RPM, watch it not work, realize some
goof made the libinsane1 on OS release 2 completely incompatible with
libinsane1 on OS release 1, spend time figuring out whether the lib or
the app is easier to rebuild, find out the rebuild needs tons of build
dependencies which the tools don't bother to grab for you, etc. etc.).
That would certainly be nifty. Really, all that would require a small
.desktop-like file describing the package, and the mirror-net its on.
The install app just finds a mirror, looks up the real package (and
dependencies, possibly querying not only the app's mirror but also the
distro's repository), etc. Heck, I think there are a couple (not nearly
done) apps that do just this, minus the high-level of desktop
integration.
Agreed. Most of the responsibility has to lay with the upstream
developers. If the authors of libfoobar are goofs and refuse to put the
3 seconds of effort forth to make their software at least co-installable
with other versions, than any upstream dev who relies on libfoobar is
just as guilty of bad practices.

A good guide on packaging might help resolve a number of such
situation. One of the biggest problems with RPMs isn't even that the
software is actually incompatible, just that the packaging *makes* it
incompatible; packages putting things in different locations, packages
that conflict with each other in order to provide different optional
featuresets (why in all the world should a user have to unisntall an app
to add features? sounds dumb, but yet we have to do it many times,
because make packages like someapp-nofeatures, someapp-feature1,
someapp-feature2, someapp-allfeatures, etc. not necessary!)

Evangelism on the importance of proper development practices could be
useful, too. Probably the only place I've seen describing library
versioning in detail is the innards of the libtool manual. No wonder
lots of devs don't do it right, eh? Something like the war on drugs is
needed: DARP, Developers Against Ramshackle Packages. ;-)

Yeah and when you've done this you've also got virus, trojans, worms and
general system instability.

You can not trust just any random web page/gpg key/packager/whatever.
Distributions provide quality packaging, software review, system
consistency, etc (that's one of the reasons all the distributed software
projects that were proposed won't ever fly IMHO - there is no way so
many different actors with different priorities, backgrounds, deadlines,
etc can agree on a common set of rules strong enough to maintain the
overall quality a current distribution provides)

Now in the past one could say distros do not cover a large enough
spectrum. With projects like Fedora this is no longer true - you want
your app in Fedora just submit a quality package and it'll get in. Then
people will install it because they *trust* the Fedora signature/label.

Making a quality package is *hard*. Computer systems are *complex*. And
working outside of a big distribution-like project only makes packaging
*harder*.

Most of people who complain just want to offload crap packages on the
user like in the windows world. As someone who is regularly called to
clean up the damage these habits cause I respectfully disagree. It says
a lot that an experimental system like Rawhide often behaves better than
your average windows setup.

If you want to enlarge the packaged perimeter just mount a packager
group on which upstream projects can offload packaging problems.

If you think distributions are the problem (like autopackage people
obviously do) just get all people that think like you together and have
them agree on a common distribution method. I predict that the best
outcome will be yet another distribution (and the probable one utter
failure - people who don't want to package stuff cleanly now won't do it
tomorrow in another organisation)

There is one point I agree with you - it'd be cool if upstream projects
could more easily provide install profiles so people can use their stuff
after reading the web site. And this can be done pretty easily by a
comps.xml adaptation that would be fed to the local apt/yum/urpm that
would then pull relevant package_s_ from the *distribution* repository.

(and yes the package/profile separation is needed. I want to be able to
provide a artist profile and a tester profile, for example, and they
will both include the gimp package, because testers need to provide
annotated screenshots too)

And while there is room for gfx effects the core engine must be CLI/GUI
independent. I can assure you after the second installation you quickly
tire of the bloody widgets and yearn after something you can just run in
a ssh window/crontab/script. People will probably want to collect all
the profiles they commonly use on a floppy and feed all of them in a
single operation to the package manager of their new computer.

(think "modular kickstart")
There is no easy way.
You want to do distro-neutral packages ? Fine.
Just be damn good.
The day someone in one of your target distros release a better package
than yours poof you've instantly lost part of your target audience.

Remember : distro-specific packagers have this advantage they can use
all kind of fun "extensions" when you can't.

Realistically that means :
1. do not try to repackage stuff that's already in the distributions
2. follow strictly FHS and the parts of LSB that make sense - be
stricter than the others packagers you'll compete with
3. package a large enough pool of interdependent software people won't
be able to take "just one bit" and make it distro-specific easily
4. have a team with people that regularly use all target distros
5. use file names not package names as dependencies - distros will
rename/split/merge packages but the FHS will force them to use the same
file locations
6. use an apt+yum+urpmi repository to reach as much people as possible
7. whenever disto X has cool extension Y you want to use gently push Y
for inclusion in the other target distributions

Cheers,
--
Nicolas Mailhot
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?=
Url : http://lists.fedoraproject.org/pipermail/devel/attachments/20031012/22b4b15d/attachment-0002.bin

Oh, I agree. Nonetheless it's a solution to "dependency hell."

My argument: there's a tradeoff. One shouldn't whine about dependencies
unless you can live with duplication. Because you win one or the other
and you may as well suck it up and live with this reality.
Right, this is what I mean by the placeholder term "LSB." LSB in
practice is lagging the actual platform people want to use by quite a
bit and seems to have some implementation issues as you mentioned. But
LSB is only one possible token of the type "define a core guaranteed
dependency set that will always exist, and apps must internalize
anything not in that core set" - which is the general approach for
avoiding "dependency hell" used by Windows/Mac.

To clarify dependency hell; if by that one simply means having to find
dependencies and install them, then you either internalize
non-core-platform deps, or you have external dependencies. That tradeoff
will never go away. Best you can do is have tools such as
yum/up2date/apt to simplify things.

If by dependency hell one means having to choose between set of apps
requiring library Foo version 1 and set of apps requiring library Foo
version 2, the solution to that is also known:
http://ometer.com/parallel.html and/or "compat" packages and soname
changes.

Unfortunately the upstream maintainers of many libraries are
uncooperative when it comes to solving this problem.

Some people seem to think there's a magic bullet here or that solutions
aren't known. I would say the solutions and tradeoffs _are_ known, and
people are just unwilling to accept them.

I don't believe the packaging format (RPM vs. whatever) has a *thing* to
do with it. RPM allows you to express dependencies to automated tools.
However, it doesn't _create_ the dependencies; you are free to have them
or not as you see fit. So blaming dependency hell on RPM is just
shooting the messenger.

Havoc